diff --git a/Shorewall-perl/Shorewall/Actions.pm b/Shorewall-perl/Shorewall/Actions.pm index 6c24fd653..48a9dc869 100644 --- a/Shorewall-perl/Shorewall/Actions.pm +++ b/Shorewall-perl/Shorewall/Actions.pm @@ -426,12 +426,7 @@ sub process_action3( $$$$$ ) { my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = split_line 1, 8, 'action file'; if ( $target eq 'COMMENT' ) { - if ( $capabilities{COMMENTS} ) { - ( $comment = $line ) =~ s/^\s*COMMENT\s*//; - } else { - warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter"; - } - + process_comment; next; } diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index 04fec43cf..f69520923 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -52,6 +52,7 @@ our @EXPORT = qw( STANDARD POSTROUTE_RESTRICT ALL_RESTRICT + process_comment push_cmd_mode pop_cmd_mode add_command @@ -257,6 +258,17 @@ my $chainseq; # Chain reference , Command # +# +# Process a COMMENT line (in $line) +# +sub process_comment() { + if ( $capabilities{COMMENTS} ) { + ( $comment = $line ) =~ s/^\s*COMMENT\s*//; + fatal_error "COMMENT lines may not contain double quotes" if $comment =~ /"/; + } else { + warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter"; + } +} # # Functions to manipulate cmdcount # diff --git a/Shorewall-perl/Shorewall/Nat.pm b/Shorewall-perl/Shorewall/Nat.pm index dabbaa5c6..3d0edb374 100644 --- a/Shorewall-perl/Shorewall/Nat.pm +++ b/Shorewall-perl/Shorewall/Nat.pm @@ -271,11 +271,7 @@ sub setup_masq() } if ( $fullinterface eq 'COMMENT' ) { - if ( $capabilities{COMMENTS} ) { - ( $comment = $line ) =~ s/^\s*COMMENT\s*//; - } else { - warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter"; - } + process_comment; } else { setup_one_masq $fullinterface, $networks, $addresses, $proto, $ports, $ipsec, $mark; } @@ -384,11 +380,7 @@ sub setup_nat() { } if ( $external eq 'COMMENT' ) { - if ( $capabilities{COMMENTS} ) { - ( $comment = $line ) =~ s/^\s*COMMENT\s*//; - } else { - warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter"; - } + process_comment; } else { do_one_nat $external, $interface, $internal, $allints, $localnat; } diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm index abe87828e..a9c57efd3 100644 --- a/Shorewall-perl/Shorewall/Rules.pm +++ b/Shorewall-perl/Shorewall/Rules.pm @@ -699,11 +699,7 @@ sub setup_mac_lists( $ ) { } if ( $disposition eq 'COMMENT' ) { - if ( $capabilities{COMMENTS} ) { - ( $comment = $line ) =~ s/^\s*COMMENT\s*//; - } else { - warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter"; - } + process_comment; } else { ( $disposition, my $level ) = split /:/, $disposition; @@ -1264,11 +1260,7 @@ sub process_rules() { } if ( $target eq 'COMMENT' ) { - if ( $capabilities{COMMENTS} ) { - ( $comment = $line ) =~ s/^\s*COMMENT\s*//; - } else { - warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter"; - } + process_comment; } elsif ( $target eq 'SECTION' ) { fatal_error "Invalid SECTION $source" unless defined $sections{$source}; fatal_error "Duplicate or out of order SECTION $source" if $sections{$source}; diff --git a/Shorewall-perl/Shorewall/Tc.pm b/Shorewall-perl/Shorewall/Tc.pm index 5be81dba0..15c765745 100644 --- a/Shorewall-perl/Shorewall/Tc.pm +++ b/Shorewall-perl/Shorewall/Tc.pm @@ -533,11 +533,7 @@ sub setup_tc() { } if ( $mark eq 'COMMENT' ) { - if ( $capabilities{COMMENTS} ) { - ( $comment = $line ) =~ s/^\s*COMMENT\s*//; - } else { - warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter"; - } + process_comment; } else { process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos } diff --git a/Shorewall-perl/Shorewall/Tunnels.pm b/Shorewall-perl/Shorewall/Tunnels.pm index 65d47866b..297c1aba2 100644 --- a/Shorewall-perl/Shorewall/Tunnels.pm +++ b/Shorewall-perl/Shorewall/Tunnels.pm @@ -263,11 +263,7 @@ sub setup_tunnels() { } if ( $kind eq 'COMMENT' ) { - if ( $capabilities{COMMENTS} ) { - ( $comment = $line ) =~ s/^\s*COMMENT\s*//; - } else { - warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter"; - } + process_comment; } else { setup_one_tunnel $kind, $zone, $gateway, $gatewayzones; }